Microsoft told customers a fresh SharePoint Server vulnerability carried low odds of real-world abuse. Days later, federal authorities added it to the list of bugs already under active attack. The reversal highlights persistent gaps between vendor risk predictions and evidence gathered by defenders watching the trenches.
CISA placed CVE-2026-45659 into its Known Exploited Vulnerabilities catalog on July 1, 2026. The entry triggered a tight deadline. Federal civilian agencies must install Microsoft’s May 2026 patches or pull the systems offline by July 4. The flaw sits at CVSS 8.8. Attackers need only a valid account with Site Member rights. From there they can run code on vulnerable on-premises servers. CISA catalog entry.
The Register first reported the mismatch between Microsoft’s language and CISA’s move. When patches dropped in May, Redmond assessed exploitation as “Less Likely.” Attackers have now shown otherwise. The bug stems from insecure deserialization of untrusted data. Any authenticated user with minimal permissions can reach it over the network. Complexity stays low. No administrator rights required. “Any authenticated attacker could trigger this vulnerability. It does not require admin or other elevated privileges,” Microsoft stated in its advisory. The Register report.
The affected products span SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016. Organizations still running these versions face immediate pressure. Many keep SharePoint exposed to the internet for collaboration. That choice now carries sharper risk. Once inside the environment, successful exploitation opens paths to persistence, data theft, or ransomware staging.
The Hacker News covered CISA’s announcement in detail the same day. It quoted the agency’s description directly: “Microsoft SharePoint Server contains a deserialization of untrusted data vulnerability which allows an authorized attacker to execute code over a network.” The outlet noted the short timeline given to agencies. The Hacker News coverage.
This episode echoes earlier SharePoint troubles. In 2025, multiple deserialization flaws drew rapid exploitation and repeated KEV listings. CVE-2025-53770, for instance, earned the nickname ToolShell after attackers chained it with bypasses. Microsoft issued emergency guidance then, too. The pattern suggests on-premises SharePoint remains a favored target. Its complexity, legacy configurations, and broad deployment create attractive attack surface.
Security teams monitoring X saw the news spread quickly. Posts warned of compliance implications. “If CISA’s calling it out, your auditors will too,” one account noted. Others urged immediate patching for hybrid and on-prem environments. The conversation mixed urgency with familiar frustration over vendor exploitability ratings that age poorly once proof-of-concept code circulates.
BleepingComputer reported the active exploitation status alongside the KEV addition. It stressed the low-privilege requirement makes the bug accessible to a wider set of threat actors than pre-authentication flaws. BleepingComputer article. Microsoft has not published evidence of specific threat groups behind the current wave. CISA likewise withheld details on victims or campaign scale. The agency simply cited “evidence of active exploitation” and reminded readers that such bugs frequently serve as initial access for larger operations.
Administrators should check patch status first. Then review internet-facing instances. Many experts recommend restricting SharePoint exposure where possible or placing it behind strict access controls. Monitoring for anomalous deserialization attempts or unexpected processes on SharePoint servers becomes essential. Web shell detection tools can help hunt post-exploitation artifacts that may already exist in unpatched environments.
The KEV catalog itself continues to grow. CISA maintains it as a living document to drive prioritized remediation across government and, by extension, private sector organizations that follow its signals. Binding Operational Directive 26-04 gives agencies the formal push. Yet the directive’s influence reaches further. Vendors, managed service providers, and risk committees treat KEV entries as de facto must-fix items. A bug’s appearance there often accelerates board-level attention and budget allocation.
Microsoft’s initial “Less Likely” label was not unusual. Vendors issue such assessments to guide customer prioritization when patches carry operational cost or require downtime. History shows these forecasts can miss once public patches allow researchers and adversaries to dissect the changes. Reverse engineering often reveals reliable exploitation paths faster than anticipated. In this case the window between patch release and KEV addition measured roughly two months. Not the fastest turnaround on record, but fast enough to catch many organizations off guard.
SharePoint’s role inside enterprises adds weight. The platform stores sensitive documents, powers intranets, and integrates with broader Microsoft ecosystems. Successful compromise can yield high-value intelligence or footholds for lateral movement into Active Directory or cloud tenants. Ransomware operators have targeted similar collaboration servers for exactly these reasons. Unknown here is whether the current exploitation ties to ransomware. CISA left that field blank in the catalog entry.
For security leaders the lesson sits in three parts. First, treat vendor exploitability ratings as one data point, not gospel. Second, maintain aggressive patching cadence for internet-facing collaboration tools. Third, invest in detection for the post-exploitation behaviors that follow RCE. Deserialization bugs rarely stop at initial code execution. They invite follow-on activity that proper logging and behavioral analytics can surface.
Organizations running fully patched versions hold an advantage today. Those lagging now operate under a known, exploited threat. The July 4 deadline for federal systems sharpens focus. Private companies lack that formal clock but face the same underlying risk. Auditors, insurers, and customers increasingly ask about KEV remediation as part of due diligence. Ignoring the catalog entry is becoming difficult to defend.
The episode also feeds broader discussion about on-premises software maintenance. Cloud services receive automatic updates. Legacy server deployments do not. SharePoint Server still commands significant installed base despite Microsoft’s push toward SharePoint Online. That reality keeps these vulnerabilities relevant long after initial disclosure. Future patches will likely address similar deserialization vectors. The question is whether defenders will close the gaps before adversaries exploit them.
Microsoft has updated its security guidance to reflect the KEV listing. Customers should apply the May updates immediately if they have not. Where updates cannot deploy quickly, temporary network segmentation or reduced permissions may limit exposure. Neither approach replaces patching. They serve only as stopgap measures while remediation completes.
CISA’s catalog now lists over 1,600 vulnerabilities with proven exploitation. CVE-2026-45659 joins a crowded field dominated by remote code execution flaws in widely used enterprise products. Its addition reinforces a simple truth. When defenders see active use in the wild, theoretical risk ratings lose relevance. Actionable intelligence from CISA moves the vulnerability from “consider patching” to “must address now.”
Security teams that treat every KEV entry with urgency reduce their attack surface fastest. Those who wait for more proof often discover the proof arrived too late. In the race between patch and exploit, starting first still decides the winner.


WebProNews is an iEntry Publication